Baltimore Spring 2019

Baltimore, MD | Sat, Mar 2 - Sat, Mar 9, 2019

This event is over, but there are more training opportunities.

We are aware that we may experience a weather event in the Mid-Atlantic Region on Sunday, March 3, 2019. Courses and their schedules will proceed as scheduled. For those of you who are commuting, please utilize your best judgement when traveling during inclement weather. In the event you are unable to make it in during registration check-in on Monday, March 4, 2019, please stop by the SANS Event Management Office and we will assist you with your registration. If you have any questions, please email registration@sans.org.

SEC575: Mobile Device Security and Ethical Hacking

Mon, March 4 - Sat, March 9, 2019

The explanations of the concepts behind the tools are great! SEC575 provides both the process and application of tools--not just a ton of tools and information.

Sean Burden, Western Union

The training in SEC575 pushes me out of my comfort zone. I am not a programmer, but I am heavily involved in mobile for enterprise.

James Taylor, DXA

Imagine an attack surface that is spread across your organization and in the hands of every user. It moves from place to place regularly, stores highly sensitive and critical data, and sports numerous different wireless technologies all ripe for attack. Such a surface already exists today: mobile devices. These devices are the biggest attack surface in most organizations, yet these same organizations often don't have the skills needed to assess them.

SEC575 NOW COVERS ANDROID PIE and iOS 12

SEC575: Mobile Device Security and Ethical Hacking is designed to give you the skills you need to understand the security strengths and weaknesses in Apple iOS and Android devices. Mobile devices are no longer a convenience technology: they are an essential tool carried or worn by users worldwide, often displacing conventional computers for everyday enterprise data needs. You can see this trend in corporations, hospitals, banks, schools, and retail stores throughout the world. Users rely on mobile devices more today than ever before -- we know it, and the bad guys do too. The SEC575 course examines the full gamut of these devices.

LEARN HOW TO PEN TEST THE BIGGEST ATTACK SURFACE IN YOUR ENTIRE ORGANIZATION

With the skills you learn in SEC575, you will be able to evaluate the security weaknesses of built-in and third-party applications. You'll learn how to bypass platform encryption and how to manipulate apps to circumvent client-side security techniques. You'll leverage automated and manual mobile application analysis tools to identify deficiencies in mobile app network traffic, file system storage, and inter-app communication channels. You'll safely work with mobile malware samples to understand the data exposure and access threats affecting Android and iOS, and you'll bypass lock screen to exploit lost or stolen devices.

TAKE A DEEP DIVE INTO EVALUATING MOBILE APPS, OPERATING SYSTEMS, AND THEIR ASSOCIATED INFRASTRUCTURES

Understanding and identifying vulnerabilities and threats to mobile devices is a valuable skill, but it must be paired with the ability to communicate the associated risks. Throughout the course, you'll review ways to effectively communicate threats to key stakeholders. You'll leverage tools, including Mobile App Report Cards, to characterize threats for managers and decision-makers, while also identifying sample code and libraries that developers can use to address risks for in-house applications.

YOUR MOBILE DEVICES ARE GOING TO COME UNDER ATTACK -- HELP YOUR ORGANIZATION PREPARE FOR THE ONSLAUGHT!

In employing your newly learned skills, you'll apply a step-by-step mobile device deployment penetration test. Starting with gaining access to wireless networks to implement man-in-the-middle attacks and finishing with mobile device exploits and data harvesting, you'll examine each step of the test with hands-on exercises, detailed instructions, and tips and tricks learned from hundreds of successful penetration tests. By building these skills, you'll return to work prepared to conduct your own test, or better informed on what to look for and how to review an outsourced penetration test.

Mobile device deployments introduce new threats to organizations, including advanced malware, data leakage, and the disclosure to attackers of enterprise secrets, intellectual property, and personally identifiable information assets. Further complicating matters, there simply are not enough people with the security skills needed to identify and manage secure mobile phone and tablet deployments. By completing this course, you'll be able to differentiate yourself as having prepared to evaluate the security of mobile devices, effectively assess and identify flaws in mobile applications, and conduct a mobile device penetration test -- all critical skills to protect and defend mobile device deployments.

Course Syllabus

SEC575.1: Device Architecture and Common Mobile Threats

Overview

The first module of SEC575 quickly looks at the significant threats affecting mobile device deployments, highlighted by a hands-on exercise evaluating network traffic from a vulnerable mobile banking application. As a critical component of a secure deployment, we will examine the architectural and implementation differences and similarities between Android (including Android Pie), Apple iOS 12, and the Apple Watch and Google Wear platforms. We will also look at the specific implementation details of popular platform features such as iBeacon, AirDrop, App Verification, and more. Hands-on exercises will be used to interact with mobile devices running in a virtualized environment, including low-level access to installed application services and application data. We'll examine the tools used to evaluate mobile devices as part of establishing a lab environment for mobile device assessments, including the analysis of mobile malware affecting Android and non-jailbroken iOS devices. Finally, we will address the threats of lost and stolen devices (and opportunities for a pen tester), including techniques to bypass mobile device lock screens.

SEC575.2: Mobile Platform Access and Application Analysis

Overview

With an understanding of the threats, architectural components and desired security methods, we dig deeper into iOS and Android mobile platforms focusing on sandboxing and data isolation models, and on the evaluation of mobile applications. This module is designed to help build skills in analyzing mobile device data and applications through rooting and jailbreaking Android and iOS devices and using that access to evaluate file system artifacts. We will also start to evaluate the security of mobile applications, using network capture analysis tools to identify weak network protocol use and sensitive data disclosure over the network. Finally, we'll wrap up the module with an introduction to reverse engineering of iOS and Android applications using decompilers, disassemblers, and manual analysis techniques.

SEC575.3: Mobile Application Reverse Engineering

Overview

One of the core skills you need as a mobile security analyst is the ability to evaluate the risks and threats a mobile app introduces to your organization. Through lecture and hands-on exercises in this module, with some analysis skills, you will be able to evaluate critical mobile applications to determine the type of access threats and information disclosure threats they represent. In this module we will use automated and manual application assessment tools to evaluate iOS and Android apps. We'll build upon the static application analysis skills covered in Module 2 to manipulate application components, including Android Intents and iOS URL extensions. We'll also learn and practice techniques for manipulating iOS and Android applications, such as method swizzling on iOS, and disassembly, modification, and reassembly of Android apps. The module ends with a look at a consistent system for evaluating and grading the security of mobile applications using the Application Report Card Project.

CPE/CMU Credits: 6

Topics

Automated Application Analysis Systems

iOS application vulnerability analysis with Needle

Structured iOS application header analysis

Tracing iOS application behavior and API use

Effective Android application analysis with Androwarn

Android application interaction and Intent manipulation with Drozer

Extracting secrets with KeychainDumper

Reverse Engineering Obfuscated Applications

Identifying obfuscation techniques

Decompiling obfuscated applications

Effective reconstructed code annotation with Android Studio

Decrypting obfuscated content with Simplify

Application Report Cards

Step-by-step recommendations for application analysis

Tools and techniques for mobile platform vulnerability identification and evaluation

SEC575.4: Penetration Testing Mobile Devices, Part 1

Overview

An essential component of developing a secure mobile device deployment is to perform or outsource a penetration test. Through ethical hacking and penetration testing, we examine the mobile devices and infrastructure from the perspective of an attacker, identifying and exploiting flaws that deliver unauthorized access to data or supporting networks. By identifying these flaws we can evaluate the mobile phone deployment risk to the organization with practical and useful risk metrics. Whether your role is to implement the penetration test, or to source and evaluate the penetration tests of others, understanding these techniques will help your organization identify and resolve vulnerabilities before they become incidents.

SEC575.5: Penetration Testing Mobile Devices, Part 2

Overview

Continuing our look at ethical hacking and penetration testing, we turn our focus to exploiting weaknesses on iOS and Android devices. We will also examine platform-specific application weaknesses and look at the growing use of web framework attacks in mobile application exploitation. Hands-on exercises are used throughout the module to practice these attacks, exploiting both vulnerable mobile applications and the supporting back-end servers.

SEC575.6: Hands-on Capture-the-Flag Event

Overview

In the final module of SEC575 we will pull together all the concepts and technology covered during the week in a comprehensive Capture-the-Flag event. In this hands-on exercise, you will have the option to participate in multiple roles, including designing a secure infrastructure for the deployment of mobile phones, monitoring network activity to identify attacks against mobile devices, extracting sensitive data from a compromised iPad, and attacking a variety of mobile phones and related network infrastructure components. During this mobile security event you will put into practice the skills you have learned in order to evaluate systems and defend against attackers, simulating the realistic environment you will be prepared to protect when you get back to the office.

CPE/CMU Credits: 6

Additional Information

Laptop Required

In this course students will use an advanced lab system to maximize the time spent on learning objectives, and minimize setup and troubleshooting.

Students may use a Windows or a macOS/OS X system for exercises. You will need a wired network adapter to connect to the classroom network. Larger laptop displays will make for an improved lab experience (less scrolling).

If you have additional questions about the laptop specifications, please contact laptop_prep@sans.org.

"SEC575 is a great course taught by a great instructor. There is so much useful information covered that is extremely relevant." - Adam Cravedi, Compass ITC

"The explanations of the concepts behind the tools are great! SEC575 provides both the process and application of tools--not just a ton of tools and information." - Sean Burden, Western Union

"I appreciate the formalized mobile application analysis report card information in SEC575; I can bring it back and use it at work to help formalize the application security program." - Adam Kliarsky, Disney

"I love the new lab structure in SEC575, because it doesn't require running or troubleshooting virtual machines--it's much faster." - Jem Jensen, NetSPI

Author Statement

I'm not sure exactly when it happened, but laptops and PCs have become legacy computing devices, replaced by mobile phones and tablets. Just when I thought we were getting a much better handle on the security of Windows, Mac, and other Unix systems, there has been an explosion of new devices wanting to join our networks that simply do not have the same security controls that we rely on in modern, secure networks.

Even with their weaknesses, mobile phones are here to stay, and we are being called on to support them more and more. Some organizations try to drag their feet on allowing mobile phones, but that ultimately contributes to the problem: if we do not address security, the threats continue to grow, uncontrolled and unmonitored.

Fortunately, we can securely deploy, manage, and monitor mobile phones and tablets inside our organizations through policy and careful network deployment and monitoring. We need to build some essential skills in analyzing the risks of data leakage in mobile code and in the applications our end-users want to run from the app store. And we need to ethically hack our networks to identify the real threat and exposure of mobile phone weaknesses.

I wrote this course to help people build their skills in all these areas, focusing on the topics and concepts that are most important and immediately useful. Every organization should have an analyst who has the skills for mobile phone security analysis and deployment. By taking this course, you will become an even more valued part of your organization. And we'll have lots of geeky fun in getting you there!